Avatar of recellular

asked on 

Required Administrative Share Security for Domain Controller

Recently the domain controller at a remote facility shut down and took the entire network down as a result (it also is a DNS, WINS, and DHCP server).  I was able to determine that the machine and had someone at the facility power it back on.

During the troubleshooting phase, I found that the C: drive had been filled to capacity which caused the shutdown.  After moving the files on to the file server at that location (crazy concept!) I began looking at securities on the drives.

I found that under the Security tab of the Administrative Share (both C and D as those are the two disks/partitions available on this box) that "Everyone" had full access.

I checked the securities on our local domain controllers and found the same setup was in play.

I've inherited this network and I'm still learning (and have a long way to go), but even in my lack of knowledge about many of the facets of network security requirements, this seems like a huge hole that was left open.

My question is this:  Since this is a Domain Controller/DHCP/DNS/WINS box, is there any reason that the administrative shares cannot be locked down?  I would like to leave only the Domain Admin group with access to these drives.

Thanks in advance for your help and dealing with the n00b!
OS SecurityActive Directory

Avatar of undefined
Last Comment
Avatar of snusgubben
Flag of Norway image

Share access is not Security access as you may look at. An admin share has the admin group access to if the share permission hasn't been changed.

If you look at file security it means security from the local machine.

If you look at the share permission, it's the permissions that regards a remote access.

i.e from remote computer:
Share permission: READ
File permission: FULL
Effective permission: READ

By defult "Everyone"  has access to the root of C:, but read access to the "Windows folder".

Dunno if this was of any help ;)

Avatar of recellular


I think I follow that, but perhaps not.

If I look at the properties of the C: drive and check the Sharing tab, I'm shown the C$ share.  Obviously, this is the administrative share and click on the Permissions tab says "This has been shared for administrative purposes.  The permissions cannot be set."  I get that and I'm okay with that part.  My concern lies under the Security tab.

What I'm seeing is "Everyone" with Allow access for Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. That, to me, seems to be the risk and how the drive got filled in the first place.

If I wanted to prevent any user from filling the C drive (not just the Windows folder, but ANY folder) while still allowing Domain Admins to have the rights to copy/paste/add/delete/etc., is it safe to remove the Everyone group and their associated securities knowing that this is a DC/DHCP/DNS/WINS box?

I hope that explains what I'm trying to do.
Avatar of snusgubben
Flag of Norway image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of recellular


I pulled "Everyone" from the Security tab of the administrative share.

Bad idea, I'm guessing.  The server crashed.  Luckily I had a second server that could act as the domain controller and I just needed to add the backup as the new DHCP server.

Learned from my own mistakes!

I'll close this topic and reopen a new one if I'm gutsy.
Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo